Bug 1136035

Summary: VUL-0: mariadb: 10.2.24 security release
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dmueller, kstreitova, pstivanin, rfrohl, rsalevsky
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-05-23 08:56:57 UTC
https://mariadb.com/kb/en/library/mariadb-10224-release-notes/

Release date: 9 May 2019

MariaDB 10.2 is the previous stable series of MariaDB. It is an evolution of MariaDB 10.1 with several entirely new features not found anywhere else and with backported and reimplemented features from MySQL 5.6 and 5.7.

MariaDB 10.2.24 will be a Stable (GA) release.

For an overview of MariaDB 10.2 see the What is MariaDB 10.2? page.

Upgrading from earlier 10.2.x versions is highly recommended for all Galera users due to bug MDEV-12837 which caused serious stability issues with earlier versions. See the bug issue page for more information.

Thanks, and enjoy MariaDB!
Notable Changes
General server

    MDEV-18968 - Both (WHERE 0.1) and (WHERE NOT 0.1) return empty set
    MDEV-18466 - Unsafe to log updates on tables referenced by foreign keys with triggers in statement format
    MDEV-18899 - Server crashes in Field::set_warning_truncated_wrong_value
    MDEV-18298 - Crashes server with segfault during role grants
    MDEV-17610 - Unexpected connection abort after certain operations from within stored procedure
    MDEV-19112 - WITH clause does not work with information_schema as default database
    MDEV-17830 - Server crashes in Item_null_result::field_type upon SELECT with CHARSET(date) and ROLLUP
    MDEV-14041 - Server crashes in String::length on queries with functions and ROLLUP
    MDEV-18920 - Prepared statements with st_convexhull hang and eat 100% cpu.
    MDEV-15837 - Assertion item1->type() == Item::FIELD_ITEM && item2->type() == Item::FIELD_ITEM
    MDEV-9531 - GROUP_CONCAT with ORDER BY inside takes a lot of memory while it's executed
    MDEV-17036 - BULK with replace doesn't take the first parameter in account
    Bug#28986737 - RENAMING AND REPLACING MYSQL.USER TABLE CAN LEAD TO A SERVER CRASH
    MDEV-19350 - Server crashes in delete_tree_element / ... / Item_func_group_concat::repack_tree
    MDEV-19188 - Server Crash When Using a Trigger With A Number of Virtual Columns on INSERT/UPDATE
    MDEV-19352 - Server crash in alloc_histograms_for_table_share upon query from information schema 

InnoDB

    Merge InnoDB changes from MySQL 5.6.44 and 5.7.26
    InnoDB persistent corruption fixes: MDEV-19426, MDEV-19022, MDEV-19241, MDEV-13942
    InnoDB recovery fixes and speedup: MDEV-18733, MDEV-12699, MDEV-19356, MDEV-19426 

Encryption

    MDEV-14398 - innodb_encrypt_tables will work even with innodb_encryption_rotate_key_age=0 

Protocol

    MDEV-17036 - BULK with replace doesn't take the first parameter in account 

Replication

    MDEV-14784 - Slave crashes in show_status_array upon running a trigger with select from I_S 

Mariabackup

    MDEV-19060 - mariabackup continues, despite failing to open a tablespace 

Packaging & Misc

    MDEV-19054 - mysql_upgrade_service now allows MySQL 5.7 to MariaDB 10.2 upgrade
    Starting with this release, we are now providing src.rpm packages for some platforms (MDEV-7066)
    As per the MariaDB Deprecation Policy, this will be the last release of MariaDB 10.2 for Fedora 28 

Security

    MDEV-18686 - Add option to PAM authentication plugin to allow case insensitive username matching
    bugfix - multi-update checked privileges on views incorrectly (commit 5057d4637525eadad438d25ee6a4870a4e6b384c)
    MDEV-19276 - during connect, write error log warning for ER_DBACCESS_DENIED_ERROR, if log_warnings > 1
    MDEV-17456 - Malicious SUPER user can possibly change audit log configuration without leaving traces. 

    Fixes for the following security vulnerabilities:
        CVE-2019-2614
        CVE-2019-2627
        CVE-2019-2628
Comment 9 Swamp Workflow Management 2019-07-30 16:11:24 UTC
SUSE-SU-2019:2020-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1126088,1132666,1136035
CVE References: CVE-2019-2614,CVE-2019-2627,CVE-2019-2628
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    mariadb-10.2.25-3.17.2, mariadb-connector-c-3.1.2-3.9.3
SUSE Linux Enterprise Module for Server Applications 15 (src):    mariadb-10.2.25-3.17.2, mariadb-connector-c-3.1.2-3.9.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    mariadb-10.2.25-3.17.2, mariadb-connector-c-3.1.2-3.9.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    mariadb-10.2.25-3.17.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mariadb-connector-c-3.1.2-3.9.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    mariadb-connector-c-3.1.2-3.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-08-15 13:11:49 UTC
openSUSE-SU-2019:1915-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1126088,1132666,1136035
CVE References: CVE-2019-2614,CVE-2019-2627,CVE-2019-2628
Sources used:
openSUSE Leap 15.0 (src):    mariadb-10.2.25-lp150.2.13.1, mariadb-connector-c-3.1.2-lp150.10.1
Comment 12 Swamp Workflow Management 2019-08-15 13:13:36 UTC
openSUSE-SU-2019:1913-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1126088,1132666,1136035
CVE References: CVE-2019-2614,CVE-2019-2627,CVE-2019-2628
Sources used:
openSUSE Leap 15.1 (src):    mariadb-10.2.25-lp151.2.3.1, mariadb-connector-c-3.1.2-lp151.3.3.1
Comment 13 Swamp Workflow Management 2019-09-06 19:13:31 UTC
SUSE-SU-2019:2330-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1126088,1132666,1136035,1143215
CVE References: CVE-2019-2614,CVE-2019-2627,CVE-2019-2628
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    mariadb-10.2.25-3.19.2
SUSE OpenStack Cloud 9 (src):    mariadb-10.2.25-3.19.2
SUSE Linux Enterprise Server 12-SP4 (src):    mariadb-10.2.25-3.19.2, mariadb-connector-c-3.1.2-2.6.6
SUSE Linux Enterprise Desktop 12-SP4 (src):    mariadb-10.2.25-3.19.2, mariadb-connector-c-3.1.2-2.6.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-10-30 20:17:43 UTC
SUSE-SU-2019:2867-1: An update that solves 11 vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1019074,1096985,1106515,1115960,1116846,1118900,1120657,1125893,1126088,1132593,1132666,1136035,1141121,1141676,1143215,1145796,1146578,1148158,1148383,1150895,917802
CVE References: CVE-2015-3448,CVE-2016-10127,CVE-2018-15727,CVE-2018-19039,CVE-2018-558213,CVE-2019-13611,CVE-2019-15043,CVE-2019-2614,CVE-2019-2627,CVE-2019-2628,CVE-2019-5477
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    crowbar-core-5.0+git.1569597589.1f025c557-3.32.2, crowbar-ha-5.0+git.1567673535.607aada-3.26.2, crowbar-openstack-5.0+git.1570141351.058c8bd44-4.31.2, crowbar-ui-1.2.0+git.1568396400.0344a727-3.12.3, galera-3-25.3.25-4.6.3, grafana-4.6.5-4.6.3, mariadb-10.2.25-4.14.2, mariadb-connector-c-3.1.2-3.12.3, novnc-1.0.0-3.6.3, openstack-cinder-11.2.3~dev16-3.21.4, openstack-cinder-doc-11.2.3~dev16-3.21.3, openstack-glance-15.0.3~dev3-3.12.4, openstack-glance-doc-15.0.3~dev3-3.12.3, openstack-heat-9.0.8~dev13-3.24.4, openstack-heat-doc-9.0.8~dev13-3.24.3, openstack-horizon-plugin-neutron-vpnaas-ui-1.0.1~dev3-3.6.4, openstack-keystone-12.0.4~dev4-5.27.4, openstack-keystone-doc-12.0.4~dev4-5.27.3, openstack-monasca-installer-20190923_16.32-3.9.3, openstack-neutron-11.0.9~dev51-3.24.5, openstack-neutron-doc-11.0.9~dev51-3.24.4, openstack-neutron-gbp-7.3.1~dev56-3.9.4, openstack-neutron-lbaas-11.0.4~dev6-3.15.4, openstack-neutron-lbaas-doc-11.0.4~dev6-3.15.4, openstack-nova-16.1.9~dev7-3.29.3, openstack-nova-doc-16.1.9~dev7-3.29.3, python-amqp-2.2.2-3.6.3, python-ovs-2.7.2-3.6.1, python-pysaml2-4.0.2-5.3.3, python-urllib3-1.22-5.9.3, release-notes-suse-openstack-cloud-8.20190911-3.20.3, rubygem-easy_diff-1.0.0-3.4.2
SUSE OpenStack Cloud 8 (src):    ardana-ansible-8.0+git.1566374355.c509923-3.67.3, ardana-glance-8.0+git.1566376789.be0fe01-3.17.3, ardana-horizon-8.0+git.1565816064.5d4f73f-3.18.3, ardana-input-model-8.0+git.1566517401.98450e6-3.33.3, ardana-manila-8.0+git.1568835837.2452e7a-1.21.3, ardana-neutron-8.0+git.1568220097.74ee4b4-3.33.3, ardana-nova-8.0+git.1566902754.c58ff69-3.35.3, ardana-octavia-8.0+git.1568373448.bcaee7e-3.20.3, ardana-tempest-8.0+git.1566471887.fd2fec7-3.27.3, galera-3-25.3.25-4.6.3, grafana-4.6.5-4.6.3, mariadb-10.2.25-4.14.2, mariadb-connector-c-3.1.2-3.12.3, novnc-1.0.0-3.6.3, openstack-cinder-11.2.3~dev16-3.21.4, openstack-cinder-doc-11.2.3~dev16-3.21.3, openstack-glance-15.0.3~dev3-3.12.4, openstack-glance-doc-15.0.3~dev3-3.12.3, openstack-heat-9.0.8~dev13-3.24.4, openstack-heat-doc-9.0.8~dev13-3.24.3, openstack-horizon-plugin-neutron-vpnaas-ui-1.0.1~dev3-3.6.4, openstack-keystone-12.0.4~dev4-5.27.4, openstack-keystone-doc-12.0.4~dev4-5.27.3, openstack-monasca-installer-20190923_16.32-3.9.3, openstack-neutron-11.0.9~dev51-3.24.5, openstack-neutron-doc-11.0.9~dev51-3.24.4, openstack-neutron-gbp-7.3.1~dev56-3.9.4, openstack-neutron-lbaas-11.0.4~dev6-3.15.4, openstack-neutron-lbaas-doc-11.0.4~dev6-3.15.4, openstack-nova-16.1.9~dev7-3.29.3, openstack-nova-doc-16.1.9~dev7-3.29.3, python-amqp-2.2.2-3.6.3, python-ovs-2.7.2-3.6.1, python-pysaml2-4.0.2-5.3.3, python-python-engineio-2.0.2-3.3.3, python-urllib3-1.22-5.9.3, release-notes-suse-openstack-cloud-8.20190911-3.20.3, venv-openstack-aodh-5.1.1~dev7-12.20.2, venv-openstack-barbican-5.0.2~dev3-12.21.2, venv-openstack-ceilometer-9.0.8~dev7-12.18.2, venv-openstack-cinder-11.2.3~dev16-14.21.2, venv-openstack-designate-5.0.3~dev7-12.19.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.16.2, venv-openstack-glance-15.0.3~dev3-12.19.2, venv-openstack-heat-9.0.8~dev13-12.21.2, venv-openstack-horizon-12.0.4~dev6-14.26.2, venv-openstack-ironic-9.1.8~dev7-12.21.2, venv-openstack-keystone-12.0.4~dev4-11.22.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.20.2, venv-openstack-manila-5.1.1~dev2-12.23.2, venv-openstack-monasca-2.2.2~dev1-11.18.2, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.16.2, venv-openstack-murano-4.0.2~dev2-12.16.2, venv-openstack-neutron-11.0.9~dev51-13.24.3, venv-openstack-nova-16.1.9~dev7-11.22.3, venv-openstack-octavia-1.0.6~dev2-12.21.2, venv-openstack-sahara-7.0.4~dev1-11.20.2, venv-openstack-swift-2.15.2-11.13.3, venv-openstack-trove-8.0.1~dev13-11.20.2
HPE Helion Openstack 8 (src):    ardana-ansible-8.0+git.1566374355.c509923-3.67.3, ardana-glance-8.0+git.1566376789.be0fe01-3.17.3, ardana-horizon-8.0+git.1565816064.5d4f73f-3.18.3, ardana-input-model-8.0+git.1566517401.98450e6-3.33.3, ardana-manila-8.0+git.1568835837.2452e7a-1.21.3, ardana-neutron-8.0+git.1568220097.74ee4b4-3.33.3, ardana-nova-8.0+git.1566902754.c58ff69-3.35.3, ardana-octavia-8.0+git.1568373448.bcaee7e-3.20.3, ardana-tempest-8.0+git.1566471887.fd2fec7-3.27.3, galera-3-25.3.25-4.6.3, grafana-4.6.5-4.6.3, mariadb-10.2.25-4.14.2, mariadb-connector-c-3.1.2-3.12.3, novnc-1.0.0-3.6.3, openstack-cinder-11.2.3~dev16-3.21.4, openstack-cinder-doc-11.2.3~dev16-3.21.3, openstack-glance-15.0.3~dev3-3.12.4, openstack-glance-doc-15.0.3~dev3-3.12.3, openstack-heat-9.0.8~dev13-3.24.4, openstack-heat-doc-9.0.8~dev13-3.24.3, openstack-horizon-plugin-neutron-vpnaas-ui-1.0.1~dev3-3.6.4, openstack-keystone-12.0.4~dev4-5.27.4, openstack-keystone-doc-12.0.4~dev4-5.27.3, openstack-monasca-installer-20190923_16.32-3.9.3, openstack-neutron-11.0.9~dev51-3.24.5, openstack-neutron-doc-11.0.9~dev51-3.24.4, openstack-neutron-gbp-7.3.1~dev56-3.9.4, openstack-neutron-lbaas-11.0.4~dev6-3.15.4, openstack-neutron-lbaas-doc-11.0.4~dev6-3.15.4, openstack-nova-16.1.9~dev7-3.29.3, openstack-nova-doc-16.1.9~dev7-3.29.3, python-amqp-2.2.2-3.6.3, python-pysaml2-4.0.2-5.3.3, python-python-engineio-2.0.2-3.3.3, python-urllib3-1.22-5.9.3, release-notes-hpe-helion-openstack-8.20190911-3.20.3, venv-openstack-aodh-5.1.1~dev7-12.20.2, venv-openstack-barbican-5.0.2~dev3-12.21.2, venv-openstack-ceilometer-9.0.8~dev7-12.18.2, venv-openstack-cinder-11.2.3~dev16-14.21.2, venv-openstack-designate-5.0.3~dev7-12.19.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.16.2, venv-openstack-glance-15.0.3~dev3-12.19.2, venv-openstack-heat-9.0.8~dev13-12.21.2, venv-openstack-horizon-hpe-12.0.4~dev6-14.26.2, venv-openstack-ironic-9.1.8~dev7-12.21.2, venv-openstack-keystone-12.0.4~dev4-11.22.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.20.2, venv-openstack-manila-5.1.1~dev2-12.23.2, venv-openstack-monasca-2.2.2~dev1-11.18.2, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.16.2, venv-openstack-murano-4.0.2~dev2-12.16.2, venv-openstack-neutron-11.0.9~dev51-13.24.3, venv-openstack-nova-16.1.9~dev7-11.22.3, venv-openstack-octavia-1.0.6~dev2-12.21.2, venv-openstack-sahara-7.0.4~dev1-11.20.2, venv-openstack-swift-2.15.2-11.13.3, venv-openstack-trove-8.0.1~dev13-11.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-12-11 14:35:09 UTC
SUSE-SU-2019:3270-1: An update that solves four vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1075812,1123053,1126088,1126428,1129729,1132666,1136035,1143215,1152916,1155089
CVE References: CVE-2017-1002201,CVE-2019-2614,CVE-2019-2627,CVE-2019-2628
Sources used:
SUSE OpenStack Cloud 7 (src):    caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-1.9.1, crowbar-core-4.0+git.1573109906.0f62e9503-9.57.2, crowbar-openstack-4.0+git.1573038068.1e32b3205-9.62.2, crowbar-ui-1.1.0+git.1547500033.d0fb2bf2-4.12.1, galera-3-25.3.25-11.1, mariadb-10.2.25-13.1, mariadb-connector-c-3.1.2-1.9.1, openstack-dashboard-theme-SUSE-2016.2-5.9.2, openstack-heat-templates-0.0.0+git.1515995585.81ed236-12.1, openstack-neutron-9.4.2~dev21-7.35.3, openstack-neutron-doc-9.4.2~dev21-7.35.1, openstack-nova-14.0.11~dev13-4.37.3, openstack-nova-doc-14.0.11~dev13-4.37.2, patterns-cloud-20170124-4.6.1, python-oslo.messaging-5.10.2-3.12.1, python-oslo.utils-3.16.1-3.6.1, python-pysaml2-4.0.2-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2020-01-31 14:44:52 UTC
released